This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author dstufft
Recipients alex, christian.heimes, dstufft, pitrou
Date 2014-03-22.18:10:47
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1395511847.78.0.843474107911.issue21013@psf.upfronthosting.co.za>
In-reply-to
Content 
I'll do that :)

To be clear about this patch, it raises the upper bounds of security by enabling TLS 1.1, and 1.2 as well as the single use for (EC)DH and preferring the server ciphers.

However it also lowers the lower bounds of security and includes SSLv3 which has some issues (see https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_3.0). However there exists clients who only support SSL3 (The primary one I'm aware of is IE6 on Windows XP).

We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's sort of a situational thing. If you're doing something where you need SSL3 clients you don't want OP_NO_SSLv3.

So I guess the question is, do we want to be more secure by default and *not* lower the lower bounds of security and require people to add context.options & ~ssl.OP_NO_SSLv3 if they want to support SSLv3 connections?
History
Date User Action Args
2014-03-22 18:10:47dstufftsetrecipients: + dstufft, pitrou, christian.heimes, alex
2014-03-22 18:10:47dstufftsetmessageid: <1395511847.78.0.843474107911.issue21013@psf.upfronthosting.co.za>
2014-03-22 18:10:47dstufftlinkissue21013 messages
2014-03-22 18:10:47dstufftcreate